Hello David,

Using any putty&securecrt  i can telnet / ssh to remote routter or firewall. Sitting on Router console can i ssh to ASA.

I got 12.4 K9 ios running on a 2801 router.

My second request was sitting on firewall-ASA can i telnet and ssh to a remote router or asa. 

thanks

Joe

Joe,

Cisco firewalls don't have SSH or telnet clients, so you can telnet or SSH to the firewall but not from the firewall.

If you are on the router you can SSH to a router or firewall, provided you have the permissions to do so.

HTH

Sitting on Router

R# ssh 1.2.3.4

is it normal it wont ask for username but password and then enable password.

Same router when ssh from putty ask for username and password

Hi Reza,

I was reading this post where you said

Sitting on Router

R# ssh 1.2.3.4

is it normal it wont ask for username but password and then enable password.

Same router when ssh from putty ask for username and password

i tried on my router

2691Router#ssh 192.168.5.2

Password:

Password:

Password:

3550SMIA>en
Password:
3550SMIA#

Can you please tell me why is that it only ask for pw when we ssh from other router but when we ssh from putty it ask

for both username and pw?

Thanks

MAhesh

Mahesh,

It does not make any difference when try to login from another router or putty.

What I was saying is this:

you can login to the router by just providing a password without a username or you can login with user name and password which is more secure and should be practiced.

basically if you remove "login local" from your vty lines and assign an enable secret, you can login with enable secret password without any username

HTH

Hi Reza,

thanks for reply back

but in my case here is 3550 config

line vty 0 4

exec-timeout 60 0

length 500

transport input telnet ssh

escape-character 3

line vty 5 15

exec-timeout 60 0

length 500

transport input telnet ssh

escape-character 3

username mintoo privilege 15 secret 5 $1$JKF9$S8eq/83XCKWRrC3521Djv0

i can ssh to switch using putty then it ask for username and pw  even though no login command is there.

do you why is this?

thanks

Dear Joe,

to get asked for a username + password on the login you need to perform the following steps:

conf t

     username privilege password <0,7>

     aaa new-model

     aaa authentication login default local

     aaa session-id common

end

wr

copy run start

first you create a new user with username, permission level and password.

0 after 'password' means it is followed by a clear-text, non encrypted password, 7 stands for you will enter

an already encrypted password (caution!!!, encryption algorithm must match!)

you then enable the aaa framework, aaa stands for authorization, authentication, accounting.

AAA provides the following benefits:

•Increased flexibility and control of access configuration

•Scalability 

•Standardized authentication methods, such as RADIUS, TACACS+, and Kerberos 

•Multiple backup systems

(taken from: http://www.cisco.com/en/US/docs/ios/12_2/security/configuration/guide/scfaaa.html)

the line 'aaa authentication login default local' means, that you enable local authentication involving

those user/access credentials you configure directly on the cisco box. there are many other facilities available,

such as radius, or databases.

the line naming on 'aaa session-id common' enables a kind of session handling with a regular system session id for e.g. login expire, expire on idle, session-loging

I trust the above is of use of you.

All the best,

David.

Dear Joe,

I am sorry to admit, that I have only some minor experience with Cisco routers, not with Cisco ASA Systems or Cisco

firewalls - I actually do not know, if the ASA-Systems are firewalls or even switches..... ;-)

Your IOS 12.4K9 should support opening a ssh session from the cisco router console to another host.

As Reza & me already outlined: sufficient network setup and proper permissions are essential for a successful ssh session.

All the best,

David.

I believe that the excellent discussion of configuring AAA authentication to require user name and password fails to address one important aspect of the question about why sometimes you are asked only for a password and not the user name and password. They are assuming that the configuration of the router or switch was calling only for the line password. But I have had experiences where this clearly was not the case.

When you SSH from SecureCRT which is running on your PC my experience is that it will always need the user name in addition to the password. But if you SSH or telnet to a router and authenticate with your user name and also password, and then you SSH from the router to another router or switch you will be prompted only for the password (even though the router or switch is correctly configured to require name and password). What is happening is that in initiating the SSH session the router has supplied your user name for the new SSH session to the other router or switch and all the router or switch requires is the password. You can check it out by following this process:

- SSH or telnet to a router and authenticate with name and password.

- from that router SSH to another router. the router should prompt only for password.

- in your session on the second router issue the command show user.

- you should see that the router has your user name associated with your session (even though it did not prompt you for the user name it has learned the user name).

HTH

Rick

Hi Rick,

Many thanks for answering my question in detail.

in this forum i always like to read your answers to the posted questions.

your explanation is always in depth and amazing.

Best regards

Mahesh

I'm surprised that the refusal of everyone else to write a correct answer thank you so much for actually answering the question asked

You are welcome. I do not necessarily see this as people refusing to write a correct answer. The original question was about ssh and telnet from a router and from an ASA. There were a couple of correct answers about that. Then the question went in a different direction asking why sometimes an ssh from the router prompts only for password and not for ID. Some thought that it might relate to how aaa authentication was configured. I thought that it would relate to whether the device that originates the ssh request has already authenticated your ID and password. Once I posted my explanation the others did not have anything to add to it and so did not post any further responses.

HTH

Rick